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M L '--yS 

ABSTRACT : Digital signature is an electronic signature form used by an original signer to sign a specific 
document. When the original signer is nof 'iii his office or when he/she travels outside, he/she delegates his 
signing capability to a proxy signer and-then the proxy signeA generates a signing message on behalf of the 
original signer.During the transmission ofddta between the sende\ and receiver, errors may occur frequently. 
Therefore, the sender i^iust re-transmit thd data to the receiver in 'order to correct these errors, which makes the 
system very feeble. The techniques of proxy signature and fault tolerance are two important issues in modem 
communication.To communicate securelwover an unreliable public hetwork, the two parties must be able to 
authenticate one anotl'^r, and agree on cifs^crei encryption keyrAertlihiticafeclJcey agreement protocols have an 
important role in buildulg-g secure erimmwwMtwm-network betwevmtke-two nartiPx-dn this paper, we propose 


a secure proxy signature ichbnie-H’iTh fitulr tolerance over an efficien 
protocol based on fiicjc-mng nhd I he discrete logarithm problem. 


KEYWORDS: Discrete logarithmjF&ctoring,! 
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"i_ ^ \ \ i ■ 

The cryptographicftrratment of proxy signature scheme was first introduced by Mambo et al. in 1996 

H J11 . . . ■ i 

[1]. Proxy signature is an important .inquiry in 'the field of a digital signature. It permits an original signer to 
delegate his signing rights to a proxy signer* and-thbn the proxy signer performs the message signing on behalf 
of the original signer. For example, a director of a company wants t(/survive for ^ long trip. He would require a 
proxy agent, to whom he would delegate his signing capability, and thereafter the,proxy agent would sign the 
documents on behalf of the director. The classification of the proxy signaturei'is dependent on the basis of 

"N _ r n- J 

delegation, namely full delegation, partial delegation and delegatioff by ^irrarjt, and presents a well-organized 
strategy. _ _ _ 

In full delegation, the jjfoxy/signef - signs document using the salnc“seci7!t key of the original signer 
given by the original signer. The drawback ' of proxy signature 1 wipi full delegation is the difficulty to 
distinct/differentiate bet veen original signer apd ’proxy sign err ^n'parjtiaJ delegation, the proxy key is derived 
from the secret key of the. original signer .and hands fr.ov6rto.tlnc proxy* signeLaisxl delegation capability. Due to 
partial delegation cannot restrict the proxy signer’s signing capability, he/she can misuse the delegation 
capability. The weaknesses of full delegation and partial delegation are eliminated by partial delegation with 
warrant. A warrant explicitly states the signer’s identity, delegation period, and the qualification of messages on 
which the proxy signer can sign. 

In 1997, Kim et al. [2] proposed a scheme using the concept of partial delegation with a warrant to 
restrict proxy signer signing capability. In 1999, Okamoto et al. [3], for the first time, proposed proxy 
unprotected signature scheme based on RSA scheme. A proxy-protected signature scheme based on the RSA 
assumption was proposed by Lee et al. in 2001 [4], [5]. In 2002, Shum and Wei [6] proposed another proxy 
protected signature scheme. Shao proposed the first proxy signature scheme based on the factoring integer 
problem in 2003 [7]. In 2005, Zhou et al. [8] proposed two efficient proxy-protected signature schemes. Their 
first system is based on RSA assumption and the second strategy was based on the integer factorization 
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problem. Also, in 2005 Han et al. [9] introduced a relatively new proxy signature scheme which is as secure as 
ElGamal signature [10]. Next, a signature based on two hard problems factoring and discrete logarithms was 
introduced by Harn [11] and Li et al. [12]. For more security, in 2013, Mat-Isa and Ismailintroduced a new 
proxy signature with the revocation based on factoring and discrete logarithm problems [13]. 

Due to the rapid growth in modern communication systems, fault tolerance and data security are two 
important issues in a secure transaction. During the transmission of data between the sender and receiver, errors 
may occur frequently. Therefore, the sender must re-transmit the data to the receiver in order to correct these 
errors, which makes the system very feeble.Digital signature schemes with fault tolerance make it possible for 
error detections and corrections during the processes of data computations and transmissions. Previously, Zhang 
[14] and Lee and Tsai [15] have respectively proposed two efficient fault-tolerant schemes based on the RSA 
cryptosystem. Both of them can efficiently check the sender’s identity and keep the confidentiality of the 
transmitted document. Furthermore, they can detect the errors and correct them. However, these schemes have a 
common weakness in security. Huifang Xue [16] has improved the mechanism of Lee and Tsai by providing 
extra security against Chosen Ciphertext Attacks (CCA) using a permutation matrix. If a malicious looks into 
the message he will find it difficult to understand or calculate checksum/ hash value due to the randomization of 
permutation matrix. 

The two parties must authenticate mutually and agree on a secret encryption key to communicate 
together securely. To achieve this, key establishment protocols are applied at the beginning of a communication 
session in order to verify the parties’ identities and build a common session key. Authenticated key agreement 
protocols have an important role in establishing secure communications between the two parties over the open 
network. The most famous protocol for key agreement was proposed by Diffie and Heilman, which is based on 
the concept of public-key cryptography (DL) [17]. There are two types of the Diffie-Hellman protocol namely 
static and ephemeral. In the first one, the parities exchange static public keys, and in the second, they exchange 
ephemeral public keys [18]. The important feature of the designed protocol is the established session key is 
formed as a combination of static and ephemeral private keys of two parties, 

In this paper, we propose a secure proxy signature scheme over an efficient and secure authenticated 
key agreement protocol based on two hard problems; factoring and discrete logarithm problems. The designed 
protocol for authenticated key agreement is secure as well as efficient and provides authentication between two 
entities before exchanging the session keys. The remaining parts of this paper are organized as follows: In 
Section II, we elaborate security properties of the proxy signature scheme. Next, we discuss the designed 
protocol in Section III. In Section IV, we proposed our proxy signature scheme. We analyze the security 
properties and common attacks of our proposed scheme in Section V. Finally, in Section VI, we give our 
conclusion. 

II. Security Requirements of Proxy Signature 

The security requirements for any proxy signature are first studied in [14] and later were improved in 
[1], [2]. According to them, a secure proxy signature scheme is expected to satisfy the following five 
requirements : 

1. Verifiability: A verifier can be confident of the original signer’s agreement on the signed message from a 
proxy signature 

2. Strong unforgeability: Only the designated proxy signer can generate a valid proxy signature. 

3. Strong identifiability: The identity of the proxy signer can be determined by any verifier from a proxy 
signature. 

4. Strong undeniability: The proxy signer cannot repudiate the signature creation against anyone else, once he 
creates a valid proxy signature on behalf of an original signer. 

5. Prevention of misuse: The responsibility of the proxy signer should be determined explicitly if he misuses 
the proxy key for the purposes other than generating a valid proxy signature. 

III. New Key Agreement Protocol 

The used protocol for the authenticated key agreement [19] provides authentication between the two 
parties A and B before exchanging the session keys. The protocol consists of three phases; The Registration 
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Phase, The Transfer and Substantiation Phase, and The Key Generation Phase. Fig. 1 shows the overall 
operation of the new protocol. 



The system picks short-term private key r A , r B , they are random integers 2 < r A , r B < n 1 , and 

GCD(r,n 1) = 1. n 1 = (p -1 )(q - 1) where p , q are large safe prime numbers normally at least 512 bits. 
t A ,t B are short-term public keys where t A = g mod n and t B = g r " mod n , g is a generator of Z* and 




n = pq long term public key at least 1024 bits. Then, the system picks long-term private keys x ,, x B they are 
random integer where 2<x A ,x B < n I and GCD (,v, nl ) = 1 and compute long-term public key y A ,y B where 
y A = g ' " mod n and y B = g ' ’ mod n . K AB is the shared secret key calculated by the new secure protocol 
between the two parties A and B. 

In the new protocol, there is only one message sent from one entity to another. The message is sent 
from A to B and vice versa from B to A , both have the same structure and independent of each other. The 
protocol has low communication overhead where, the total number of transmitted bits is I n I. The protocol has 
low complexity (complexity is 4) since the protocol needs only four exponential operations. So, it provides 
desirable performance attributes. 

IV. Iuonand Chin Chang’s Scheme 

Iuon and Chin Chang’s scheme [15] is developed from the concept of meta-ElGamal signature scheme 
[14] and the concept of Zhang’s fault-tolerant signature scheme. In ElGamal digital signature scheme, a system 
first chooses a large prime p and a generator g, such that g eZ* with order p — 1. Both p and g can be shared 

among a system of users. To generate a key pair, the signer A first chooses a random number x A , x A e Z p l 
mod p . A keeps x A secret and publishes y A . Suppose that the signer Alice will send a 


and calculates y A = g x> 
message with her signa 


:ure to the receiver Bob. Alice possesses a secret key x A and a public key y A . The 


proposed scheme can be divided into two procedures: 

1. The signature generation procedure, 

2. The fault tolerance and signature verification procedure. 

4.1 The Signature Generation Procedure 

1. Alice first divides the transmitted message Minto numerical 3x3 message matrices X , 's , such that 


= 


Where m.., 1 < i < 3,1 < j < 3, is a message block and m tJ e Z , 


( 1 ) 
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2. For each message matrix X ; , Alice calculates its signature and constructs an expand matrix Z),, such that 

m n m n m l3 r, s, t l 
m 2l m 21 m 23 r 2 s 2 t 2 


D, = 


n s , t 


33 ' 3 J 3 1 3 


( 2 ) 


The r , s i , , r', s' and t ' can be calculated by using the following equations 


r =g k; mod p , 


3 

t, = 2_j m ij mod p — 1, 


' =1 


\\ 


Si =(H(m n )-t i -H(m i2 )-r ■x A )(H(m n )-k i ) 1 modp-l, 


I 


I. 


3 


r 1 = g kj mod p 

I 


■X 


t’ =X m y mod p—1, 

i= 1 

J LI 

5-' -H(m 2 i )-r j -x A )(H(m 3J )-k 1 ) 1 mod/7-1, 

where 7f() is a public one-way hash function. 

4.2 The Fault Tolerance and Signature Verification Procedure 

1. Bob first detects errors by checking the equations 

Oy 3 I | "h 

t t = Jm,, mod p and/-' = Vm,j mod/7 

i=l 


(3) 

(4) 

(5) 

( 6 ) 

(7) 

(8) 


(9) 


If there is an error in m uv , 1 <u , v <3 , we must have that t u ^ m uj mod p—1 and f =£ ^ m jv mod p -1 


7=1 


Therefore, the error could beeasily detected. 

2. After the error is detected in m uv , it maybe corrected by using either one of the following two equations 


= K ~H m uj mod P 




=t v mod p 


( 10 ) 


3. After correcting the errors. Bob has to verify the validity of the recovery and its corresponding signatures by 
checking whether 


g 


Him,O-l, _ H 


= y 


g 


mod/7 

HfAffP _ „ H(m 2 j) d _ 


= y a 


mod p 


( 11 ) 


or not. If the above verifications are positive, Bob will believe that the contents of the recovered messages are 
valid. Otherwise, Bob can choose not to accept the receipted messages. 
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V. The Proposed Proxy Signature Scheme 

The proposed proxy scheme is based on the new authenticated key agreement protocol with two hard 
problems factoring and discrete logarithm problems. The system is divided into four phases: System setup. 
Proxy key generation, Proxy key verification. Proxy signature generation and Proxy signature verification 


5.1 System Setup 

For the convenience of describing our work, we define the parameters as follows: 


A: 

Original signer 

P: 

Proxy signer 

B: 

Receiver 

Pd1 ■ 

Two large prime number 

(^A ’ d A ) ■ 

Secret key of original signer, d A = e 

ie A ,n A ): 

Public key of original signer 

h(): 

A secure one-way hash function. 

K ap : 

Shared secret key between A and P 

m w ■ 

A warrant 

ID A, IDp: 

Identity of A and P 

G : 

Subgroup of Z * of order p q . 

8 ■ 

\ 

Generator of G . 

x A ,x p : 

Long-term private keys of A and P. 

y A N P ■ 

Long-term public keys: y A = g m 


"A 


\\ 


'A 


A;.... 


I 




\ 


'dp • 






5.2 Proxy Key Generation 

1. The original signer entity Afirst divides the transmitted message M into numerical 3x3 message matrices 
and do the following: 

Selects an arbitrary integer value k i ,k j eZ p l 

“ L ■. \ \ 

A *. 

Find r = g k ‘ mod p and r 1 = g k mod p 

Calculate warrant m w where, m w must be created from ID , 4 , ID P and other data on the delegation. 

Compute h(m w Dr t UK AP )and h(m w Dr J DK AP ) 

L ‘ L_ I I 

Find cr. = k t +x A *h(m w Dr. I )K AP ) mod p cr J =k J +x A *h(m ir Dr J Mf A/ >) mod p - I 
for all 1 < i < 3,1 < j < 3. 




• Compute u l = tj i dA mod n A , u J = <j J '' modn A 

• Send (m w ,r , r J , K Ap ,u t ,u ' , cr ,) to the proxy signer in the secure channel. 

2.The proxy signer does the following: 

• Shares a key d A with original signer 

• Checks the validity of(m w ,r i ,r i ,K AP ,u i ,u j ,<J l ,<j J ) by verifying whether or not the following equation 
holds 


M 


»(m.Dr,[IE,.] j u J ] h(nL,Xr K. p ) 

= r t y A ^ 1 " and g = > y A * AP 

If the verification is successful, the proxy signer then computes an alternative proxy private/public key pair 
and y pr , respectively, such that 


.( 12 ) 


cr =cr +x p *h(m w Dr t D^ AP )mod/i-l 
y i = g <Tp ' mod p 


(13) 
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(j i = cr i +x p *h(jn Or J UK AP ) modp-1 
' , " (14) 

y Jr =8 api mod P 

5.3 Signature Generation 

Now, the proxy signer P will sign a message M on behalf of the original signer, he uses <j pr to perform a 
signing operation. The proxy signature on the message M is as follows 


s t = (H—H (m j2 )-cr ■y' ip )(H(m i3 )-cr ip ) 1 mod/7-1, 

s J =(H (m l/ )-t J —H (m 2j )-a j ■ y 'j )(H (m 3j ) ■ cr J pr )“‘ mod p - 1, (15) 


3 3 

Where t. = /m,, mod p -1 and t ‘ = y, m n mod p -1, For all I < i < 3,1 < j <3 

J = 1 

// . 

5.4 Fault tolerance and Signature Verification 

1. The receiver B first detects errors by checking the equations 

\ V 

L 1 3 3 

U '= y,m„ mod p and t ‘ = y m, ; mod p (16) 

■ ■ j=i 

3 3 

If there is an error in m m ,\<u ,v <3 , we must have that t u ^ y,w,„- mod p — 1 and t v ^ ^ ni jr mod p -1 

f J=1 i i=I 

Therefore, the error could be easily detected. 


2. After the error is detected in m m ,, it may be corrected by using either one of the following two equations 


= mod P 




m, 


= t v - Yj m i V mod P ( 17 ) 


3. The receiver ^receive the signed message and he has to check whether or not the following equations hold: 


A. 


H(m n ) 

U = y H (mi 3iK' . ( 

hirriy.-r:)\Hi pr , 

r i m yA ^ ) p mod p 

1 1 


1 pr 

1 1 

H (mij ) 

, t j .H(m 3 j)-sJ 

= y pr 

V- y} ( ^ rj) f^i r modp 

J V 

1 1 


/ 


'\ 

y' I =r(y A y P ) hd ^ araK ^ ) rnodp(m 


VI. Security Analysis 

In the following, we show that the proposed schemes satisfy the security features, namely, verifiability, 
strong unforgeability, strong, undeniability, strong identifiability, and prevention of misuse. 


6.1 Verifiability 


I 


According to the step 1 of the fault tolerance and the signature verification procedure, if an error occurs 
in , therefore t l ■ ^ m n +m j2 +m i3 mod/? andr J ^ m tj +m 2j + m 3j mod/7 . The fault message can be 

recovered by computing, if the rest of the messages m ik ' s where k = I to 3 and k ± j , in the i row are correct. 


On the otherhand, if the rest of the messages m kj 's , where k = 1 to 3 and k jd, in the j ,h column are correct, the 

fault message in also can be recovered by computing = t J — (A., 3 m kj )mod p .Therefore, an error is 

correctable only when no other errors simultaneouslyoccur in the same row i and the same column j. In the 
proposed scheme, we can correctfour errors in a message matrix X at most. Figure 2 illustrates the 
correctableconditions when four errors simultaneously occur in a message matrix. Therefore,all the four errors 
can be corrected by using the check-sums in either the row orthe column direction. 
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Fig. 2. The correctable conditions when there are four errors simultaneously occurring 

in a message matrix 


According to the step 2, the receiver B can check the verification equation: 


i 


- Q. 


I 3 


I 

V 


\ 


y pI =g Upi mod [A\ 

cr+x n *h(m w UrUKAp) , 

= g p " AP mod p 

= g"g Xp * (hini ” D ™ Ap) mod P 

= g k+XA * h < -' n "' u , ( ' iC>AP) g Xp a, ' aKAP f mod p 

— g k g X A * h ("4 ) g X P * h N. 0r ^AP ) moc J 

= g k (g XA g Xp ) h } mod p 

h(m w nrDKAP) 

= r(y A y p ) mod p 

6.2 Strong Unforgeability 

In this scheme, the proxy signature is created with the proxy signer's secret key x p and delegated 
proxy key cr . The proxy key is bound with the original signer's secret key x A and the session key K AP . No one 
(including the original signer) can construct the proxy signature. If the original signer tries to construct the 
proxy private key from a proxy public key, he/she will need to solve the discrete logarithm problem. However, 
the discrete logarithm problem is difficult. Moreover, from Equation (12) the verification of h(m u , □ r A K AP ) 
with the signed message prevents the dishonest party from the creation of forged proxy signature. Therefore, 
any party, including the original signer cannot forge a valid proxy signature and thus the proposed scheme 
satisfies the unforgeability property. 


\\ 

! 8 

IA 


6.3 Strong Identifiability 

Any verifier can determine the identity of the proxy signer from the proxy signatures created by the 
proxy signer. Therefore, in the proposed scheme, any verifier can identify the identity of the proxy signer from 
the proxy signature generated by himon the message M. 


6.4 Strong Undeniability: 

In the proposed scheme, from Equations (13,14) the involvements of both original signer and proxy 
signer are determined by the secret keys x p and d A from the proxy signature. Thus, the proxy signer and the 

original signer cannot deny their involvement in a valid proxy signature. So, the scheme satisfies the 
undeniability property. 
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6.5 Prevention of Misuse 

In the proposed scheme, the proxy signer cannot forge the delegated rights. The responsibility of the 
proxy signer is determined from the warrant m w in the case of the proxy signer's misuse. Therefore, the original 
signer's misuse is also prevented because he cannot compute a valid proxy signature against the proxy signer. 

Next, we show that our scheme is heuristically secured by considering the following five most common attacks. 


Known-Key Security (K-KS):In the proposed scheme, if an established session key between original 
signer and proxy signer is disclosed, the adversary is unable to learn the other established session keys. In each 
run of the proposed scheme between the two parties, a unique session key which depends on r A and r p should 
be produced. Therefore, the adversary cannot compute K AP and cannot calculate 


a = k +x A *(h(m w Dr UK AP )mod p— 1. 


(Perfect) Forward Secrecy:If both secret keys of two parties are compromised, the adversary is 
unable to derive old session keys, established by two parties. The protocol also possesses forward secrecy. 
Suppose that adversary compromises the private keys x A , he/she cannot calculate 
cr = k +x A *h(m w \r\ K AP ) mod p —1. Moreover, the secrecy of previous session keys established by honest 


parties is not affected,because an adversary who captured the private key x A should extract the ephemeral keys 
r A or r p from the exchanged values to know the previous or next session keys between them. However, this is 
DLP (Discrete Logarithm Problem). On the other hand, assume adversary is able to solve FAC problem that 
means he/she knows the prime factorization of n A and can computer^ ; however, he/she cannot compute 
a = k +x A *h(m w \r\ K u , ) mod p —1 since no information is available lor x A . Thus, he/she still fails to 
produce cr A send to proxy signer. 

Key-Compromise Impersonation (K-CI):When the private key of original signer is compromised, it 
may be desirable that this event does not enable an adversary to impersonate the other entities to A . Suppose 
that’s long-term private keyx A , is disclosed. Now, an opponent who knows this value can clearly impersonate 
A . In the proposed scheme, the opponent cannot impersonate P to A and compute 
<j pT = a+x p *h(m v , f r □ K AP )mod p— 1 without knowing the/ J ’s long-term private key x P . From the success 

of the impersonation, the opponent must know A’s ephemeral key r A . So, in this case, the opponent should 


extract the value r A from t A = g r ' mod/; ; however, he/she cannot calculate the sharing key, and this is DLP. 
Furthermore, he cannot compute u = <j iA mod/i A which is the RSA 


Unknown Key-Share (UK-S):The original signer A cannot be coerced into sharing a key with the 
proxy signer P without the knowledge of the original signer, i.e., A believes that the key is shared with some 
entity C ^ P , and P believes that the key is shared with A . The used protocol prevents unknown key-share. 
Corresponding to the proxy signer’s public static and ephemeral keys y p ,t p , an adversary cannot register 
proxy signer's public keys y p ;t p as its own, and according to the assumption of this protocol that s 2 has 
verified that P possesses the private static and ephemeral keys x p , r p , respectively. So an adversary cannot 


deceive the original assuming that a p ,. = cr + x * h (m w Dr □ K AP ) mod p - I was originated from him. 
Therefore, the original signer cannot be coerced into sharing K AP with the proxy signer without his/her 
knowledge. 


VII. Conclusion 

In this paper, we proposed a new secure proxy signature with fault tolerance and a new key agreement 
protocol based on factoring and discrete logarithms. Our scheme does not consider the proxy revocation 
mechanism. The scheme provides a higher level of security than a single hard problem is based on two hard 
problems. Furthermore, it satisfies the capability of correcting four at most errors for each 3x3 message 
matrix.On the other hand, the scheme satisfies the necessary security requirements of proxy signature and has a 
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secure channel to deliver the proxy key, through the designed new protocol that meets the security attributes 
under the assumption of DLP and RSA. 
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